Administration Console Online Help

Security Realm: User Lockout

Password guessing is a common type of security attack. In this type of
attack, a hacker attempts to log in to a computer using various
combinations of usernames and passwords. Weblogic Server provides a set of
attributes to protect user accounts from intruders. This page allows us to
define how user lockouts will be handled in this security realm.

WebLogic Server provides a set of attributes to protect user accounts
from intruders. By default, these attributes are set for maximum
protection. As a system administrator, you have the option of turning off
all the attributes, increasing the number of login attempts before a user
account is locked, increasing the time period in which invalid login
attempts are made before locking the user account, and changing the amount
of time a user account is locked. Remember that changing the attributes on
this page lessens security and leaves user accounts vulnerable to security
attacks.

If a user lockout security event occurs on one node of a cluster, the
other nodes in the cluster are notified of the event and the user account
is locked on all nodes in the cluster. This feature prevents a hacker from
systematically breaking into all the nodes in a cluster.

Note: The User Lockout attributes apply to the security realm and all
its security providers. If you are using an Authentication provider that
has its own mechanism for protecting user accounts, disable the Lockout
Enabled attribute.

If a user account becomes locked and you delete the user account and
add another user account with the same name and password, the User Lockout
attribute will not be reset.

The maximum number of consecutive invalid login attempts that can
occur before a user's account is locked out.

Any subsequent attempts to access the account (even if the
username/password combination is correct) raise a Security exception;
the account remains locked until it is explicitly unlocked by the
system administrator or another login attempt is made after the
lockout duration period ends. Invalid login attempts must be made
within a span defined by the Lockout Reset Duration attribute.

The number of minutes within which consecutive invalid login
attempts cause a user's account to be locked out.

An account is locked if the number of invalid login attempts
defined in the Lockout Threshold attribute happens within the number
of minutes defined by this attribute. For example, if the value in
Lockout Reset Duration attribute is 5 minutes, the Lockout Threshold
is 3, and 3 invalid login attempts are made within a 6 minute
interval, then the account is not locked. If 3 invalid login attempts
are made within a 5 minute period, however, then the account is
locked.

The maximum number of invalid login records that the server keeps
in memory.

If the number of invalid login records is equal to or greater than
the value of this attribute, the server's garbage collection purges
the records that have expired. A record expires when the user is
unlocked or when the lockout reset duration has expired for that
record.